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ABSTRACT 



A verification data generating apparatus generates data that 
can be stored in a terminal device without sustaining unau- 
thorized operations and has assured continuity in the order 
of being output. 

In the apparatus, a verification data holding element holds a 
verification data. A data generation element generates a data 
body at a predetermined timing. Whenever the data body is 
generated, a verification value generation element generates 
a new verification value based on the verification value held 
in the verification value holding element and the data body 
newly generated. The verification value held in the verifi- 
cation value holding element is then updated with the new 
verification value. A data storage element stores the data 
bodies generated by the data generating element in order. On 
receiving a verification data outputting request, a verifica- 
tion data outputting element generates a signature value 
based on the verification value held in the verification value 
holding element and outputs verification data generated by 
concatenating the signature value with the data body stored 
in the data storing element. 

9 Claims, 12 Drawing Sheets 
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VERIFICATION DATA GENERATING 
APPARATUS, DATA VERIFICATION 
APPARATUS AND STORAGE MEDIUM FOR 
STORING VERIFICATION DATA 

GENERATING PROGRAM 5 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a verification data gen- 10 
erating apparatus, a data verification apparatus and a storage 
medium for storing a verification data generating program 
and in particular relates to a verification data generating 
program that provides a signature to a data group to generate 
verification data, a data verification apparatus that verifies ^ 
the verification data with a signature and a storage medium 
for storing a verification data generating program to attach 
a signature to a data group. 

2. Discussion of the Related Art 

Recently, networks have developed and various kinds of 20 
information are digitized to be distributed through a net- 
work. The information such as the character information, 
still pictures, animations, sound information, programs can 
be digitized and we can obtain various services on the 
network that are combinations of those pieces of digital 25 
information. However, the digital information has a major 
defect that it is easily copied. A copy of a piece of digital 
information is completely the same as the original. Once the 
digital information is distributed through the network, there 
occurs a possibility that the information would be copied 30 
and used without authorization by the author. Therefore, the 
author can hardly receive a justifiable reward to which 
he/she deserves. Thus the easiness of copying has been a 
factor that prevents distribution of the digital information on 
the network. 35 

To overcome the problem, systems such as "CD- 
Showcase" (Trademark of International Business Machines 
Corporation) have been offered, wherein digital information 
is encrypted to be freely distributed and used with a decryp- 
tion key acquired through the telephone network at some 40 
charge. However, in this method it is impossible to impose 
a charge to a user according to the frequency of use. 

To impose the charge to the user according to the fre- 
quency of use, it is necessary to collect charge imposing 45 
information such as a using history. The collection of the 
using history requires a system for assuring legitimacy of the 
using history because it is also a piece of digital information. 

As disclosed by Japanese Patent Application Laid-Open 
No. Hei. 3-25605 "Charge imposing information transmis- 50 
sion method" (1991) and Japanese Patent Application Laid- 
Open No. Hei. 6-180762 "Charge imposing information 
collection system" (1994), devices for outputting the charge 
imposing information are connected to the communication 
network to automatically collect the charge imposing infor- 55 
mation. If the communication network is utilized, the legiti- 
macy of the charge imposing information can be assured by 
a digital signature method or the like using the RSA (Rivest, 
Shamir, Adleman) encryption (see "Encryption Theory 
Introduction", Eiji Okamoto, Kyoritsu Publishing company, 60 
1993, pp. 134-138). 

The above cases are suggested on the premise that a 
terminal device for using the digital information is always 
connected to a network. The premise is supposed because of 
the bad effects such as the tampering with the data by the 65 
user or system troubles caused by the storage of the data in 
the off-line terminal devices for a long time. However, in 
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general, most of the users utilize the digital information 
off-line. Therefore it is hardly acceptable to constantly 
control the user's terminal device through the network 
considering the communication costs or operability of the 
system. 

An Integrated Circuit (IC) card attracts attentions as a 
medium for storing secret information. The charge imposing 
information or the like can be securely collected by the IC 
card. Japanese Patent Publication No. Hei. 6-95302 (1994) 
discloses "Software administration method" applied to a 
system that imposes a charge for using software according 
to an amount of using and collects the charge by utilizing the 
IC card. More specifically, a user buys an IC card at a 
predetermined agency. The price is then written in a balance 
memory of the card. When the user activates the software, 
the balance memory of the IC card is checked and the 
amount corresponding to the charge for using the software 
is subtracted from the balance memory. When the user 
spends the whole amount of money written in the balance 
memory of the card, the card is forwarded to a Software 
Service Association (hereinafter, referred to as SS 
association). Particulars of use of the software is stored in 
the IC card. The SS association pays the charge .for using to 
the author of the software based on the particulars. 
Therefore, it is possible to allow the user to use the software 
off-line and impose the charge to the user for the use of the 
software. 

However, the method of forwarding the IC card that 
stored the using particulars to the SS association has prob- 
lems in that whenever the amount of money stored in the 
balance memory of the card has been exhausted, the user has 
to wait for re-distribution of the card from the SS association 
or to buy a new IC card at the agency. In addition, the history 
data generally tends to be long. Accordingly, if the history 
data is 'stored in the IC card, it is necessary to frequently 
renew the card because it has merely a small memory 
capacity. 

Therefore, a technology is required for securely saving the 
data, such as the charge imposing information generated by 
the IC card in the terminal device which should be certainly 
forwarded to the SS association. If the charge imposing 
information can be securely saved in the terminal device, 
frequent reissue of the IC card is unnecessary despite the 
small memory capacity of the card. The off-line services are 
available as a matter of course. The history data such as the 
charge imposing information is output many times. 
Consequently, it is necessary to maintain the order of the 
output pieces of the history data. The SS Association must 
verify the history data including the order of the pieces of the 
history data. If a piece of the history data is missed, the 
charge corresponding thereto cannot be collected. 

SUMMARY OF THE INVENTION 

The present invention has been made in view of the above 
circumstances and has an object to provide a verification 
data generating apparatus capable of generating data that can 
be saved in a terminal device without sustaining unautho- 
rized operations and is assured to have continuity in the 
order of being output. 

Another object of the present invention is to provide a 
data verification apparatus that can verify the data to be 
saved in a terminal device without sustaining unauthorized 
operations, where the continuity in the order of outputting 
pieces of the data is also verified. 

Still another object of the present invention is to provide 
a storage medium storing a program to have a computer 
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generate verification data that can be saved in a terminal FIG. 11 shows an example of a user database managed by 

device without sustaining unauthorized operations and is a history management center; 

assured to have continuity in the order of being output. FIG. 12 is a flow chart showing procedures of verification 

Additional objects and advantages of the invention will be of the log set in the history management center; 

set forth in part in the description which follows and in part s FIG 13 shows delails of procedures of verification of a 

will be obvious from the description, or may be learned by verification value' 

practice of the invention. _ T _ iA u ' . f „ .. ~ . 

— . . 1 ... FIG. 14 shows an example of configuration of use exten- 

To achieve the objects and in accordance with the purpose s - on an( j 

of the invention, as embodied and broadly described herein, ^ ' , . r 

a verification data generating apparatus of the present inven- ao PIG. 15 shows an authentication process for the use 

tion comprises a verification value holding element that extension data in a second embodiment. 

holds a verification value and a data generating element that DETAILED DESCRIPTION OF THE 

generates data bodies. The apparatus also comprises a veri- PREFERRED EMBODIMENTS 

fication value generating element that generates a new 

verification value based on both the verification value held 15 FIG. 1 shows a basic configuration of a verification data 

in the verification value holding element and the data body generating apparatus according to the present invention, 

whenever the data body is generated and updates the veri- A verification value holding element 1 holds a verification 

fication value held in the verification value holding element value. A data generating element 2 generates a data body at 

with the new verification value. The apparatus further com- a predetermined timing. For example, when a certain data 

prises a data storing element that stores the data bodies 20 processing request is received, a history of the previous data 

generated by the data generating element in order of being processing is generated as the data body, 

generated and a verification data outputting element that whenever the data body is generated by the data gener- 

generates a signature value by using the new verification ad elemem 2> a verification va i ue generating element 3 

value on receiving a verification data ouh,uttog request and tes a ncw vcrification valuc bascd on ihc verification 

outputs verification data including the data bodies and the 25 ^ he]d by ^ verificatioQ value holding element j and 

signature value. thc newly gerjerated data t> ody W i tn tne new verification 

A data verification apparatus according to the present vahie? me preced i n g verification value held by the verifica- 

invention comprises a verification vaiue holding element tion value holding element 1 is updated. A data storing 

that holds a verification value and a reference verification element 4 stores the data bodies generated by the data 

value generating element that receives verification data that 30 generating element 2 in order. On receiving a verification 

is a set of data bodies and a signature value attached thereto data outpll ttmg request, a verification data outputting ele- 

and generates a reference verification value based on the ment 5 generates a signature value based on the verification 

verification value and the set of data bodies. The apparatus value held by tne verification value holding element 1 and 

also comprises an authenticating element that collates a outputs verification data that is a combination of the gener- 

verification value obtained from the signature value with the atcd signature value and the data body stored in the data 

reference verification value and authenticates the verifica- storing element 4. 

tion data if the signature value and the reference verification A A . , , . t , An . n „ . . - 

. & . t t , — - x , Accordingly, whenever the data processing request is 

value are consistent with each other. The apparatus further execated a n6W data body ^ stored ^ ^ data storing 

comprises a verification value updatmg element that updates 4 ^ ^ veriflcation value heW ^ the veriflcation 

the venfication va hie with the reference verification value if ^ holdi clemcnt j h u ^ ated when ^ V6rification 

the verification value obtained from the signature value and ^ outputting request is made, verification data with a 

the reference venfication value are consistent with each signature vahe gcn6ratcd based on ^ veriflcation va i U6 k 

0 er the verification value holding element 1 is output. 

BRIEF DESCRIPTION OF THE DRAWINGS 45 The verification data is thus output with the signature 

The accompanying drawings, which are incorporated in attached. Therefore, the content of the data body cannot be 

and constitute a part of this specification illustrate embodi- tampered with even though the data is stored in the terminal 

ment of the invention and, together with the description, devices or the like. In addition, since the new verification 

serve to explain the objects, advantages and principles of the values are generated using the data bodies generated in order 

invention. In the drawings; 50 an ^ the verification values previously generated, the conti- 

FIG. 1 shows a basic configuration of a verification data nuit y in the order of th& out P ut verification data is assured, 

generating apparatus according to the present invention; ( ln me case where a lar S e number of pieces of the verifi- 

FIG. 2 shows a schematic configuration of a history cation data are gyrated, if a piece of the verification data 

management system using an 1C card; 15 missed > data _ cannot be authenticated by the venfica- 

tnn 1 oU™~ „ ^fi™™*™ ~f o ™<.„int^ ^fn,™- 55 tion apparatus such as a server.) As a result, the verification 

FIG. 3 shows a configuration 01 an encapsulated software; , . rr . ^ 4l t „ t \. . «j j * j • *u 

. , . f „ . ^ r , T _ ' data can be frequently output to the outside and stored in the 

RG. 4 shows a hardware configuration of the IC card; o ^ of ^ ^ ConsequentlV) though the 

FTG. 5 is a block diagram showing processing functions memory capacity of the data storing eUment 4 is small> no 

of the IC card; problem occurs 

FIG. 6 is a flow chart showing procedures of starting 6Q ^ verification data geDera ting apparatus of the present 

execution of the encapsulated software; invention can be implemented on the IC card. In this case, 

FIG. 7 shows an example of a log configuration; the history data is not forwardcd witn the card. The verifi- 

FIG. 8 shows a configuration of a log set with a signature; cation value is held by theTC card and the history data is 

FIG. 9 shows an example of configuration of a plain text read from the IC card and temporarily saved in the terminal 

attached as a signature value to the log set; 6 5 device. The history data is then transmitted from the termi- 

F1G. 10 is a flow chart showing procedures of outputting nal device to the history management center through the 

the log set from the IC card; network. Thus the off-line collection of the histories and 
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assurance of the legitimacy of the history data are possible. saved even when a power source is turned off (namely, 

The IC card capable of securely obtaining the history data or nonvolatile memory). 

the like using a technique such as the digital signature has pio. 5 is a functional block diagram showing processing 

already been distributed as a commercial product. It is also functions of the IC card. 

prescribed as a secure messaging technique in BO/EC- s A log generation unit'201 receives the header from the PC 

110 and generates a log. If a value of a log counter 204a is 

A first embodiment of the verification data generating the same as that of a storable number of logs 201a, the log 

apparatus and the data verification apparatus according to generation unit 201 returns an error status to the PC 110 

the present invention is described with an example where instead of generating the log. The storable number of logs 

information such as the history data is read from the IC card W 201a is a number of logs which can be stored in a log set 

and saved in a terminal device and then charge imposing storage unit 204. The number is predetermined correspond- 

information is transmitted to the history management center mg to the capacity of the PROM 250 of the IC card 200. 

at an arbitrary timing. A verification value storage ^ 2 02 stores a verification 

First Embodiment 15 va ^ ue to De usec ^ m verification of the continuity of the order 

of logs by the IC card 200 and the history management 

FIG. 2 shows a schematic configuration of a history cen ter 130. The verification method will be described later, 

management system using the IC card. A personal computer whenever a new log is generated by the log generation 

(PC) 110 of a user is connected to a history management ^ 2Q1 ^ MD5 operation unit 203 generates a new 

center 130 through a network 120 such as the Internet. The verification valuc . Specifically, at first, the log generated by 

history management center 130 performs the user registra- ^ log generation unit 201 ^ com bined with the verification 

tion and management of user data, histories of services yamc stored ^ ^ verification valuc storage unit 2 Q2, A 

offered to the users or the like. The history management me di t [& ^ calculated based on the comb j n ed 

center 130 also provides encapsulated software (hereinafter, y ^ ugi a Qu hash « MD5 „ (gee ^ MD5 

referred to as "capsule") 300 at the request of the PC 110. MesS age-Digest Algorithm, R. Rivest, Internet RFC 1321 

Here, encapsulation means the encryption of the software (1992)) tQ te ^ verification vahie . with the newly 

with an encryption algorithm, for example, Data Encryption generated verification value, the verification value in the 

Standard (DES), such that the software cannot be used verificatioil value storage unit 2 02 can be updated, 

without decryption. It is possible to offer the capsule 300 to r , _ , A , . 

t , „ M „ . \ „ aA - m 00 a nri DnN/f In th ls example, the verification value is generated by 

the users by a medium such as a LD-ROM. • iL V L n «^#^r« n « » 

„ , . - L n „ _ n 30 using the one-way hash function "MD5". Here, "one -way" 

A reader/writer 140 is connected to the PC 110 with an characleristic means that lne value before calcil i ation cannot 

mterfacesuch as an^ be obtamed ffom ^ calculation result b the inverse 

face prescribed by the Hectromc Industries Association). atioiL « MD5 " can be replaced wi th a mnctio n that has 

The user connects an IC card 200 to the reader/writer 140 to of ^ to ^ ^ aboV e-mentioned one-way 

obtam a decryption key for the capsule 300 or the using 35 ^^^^^ 

history provided by the history management center 130. m , . , , A ... . 

m j -™ * • « , , The log set storage umt 204 stores a log set which is a set 

The IC card 200 k pven to the user by a provider who q{ f ^ ^ ncatenat6S the j ted b the j 

offers the software or the history management center 130 at * eration ^ 201 , 0 the j wt one ^ molher _ 

the request of the provider. In this example, the user obtains ° ° . 

the services through the PC 110. However, a local terminal 4n lo S counter 204fl the n ™ ber of lo & stored m 

device for utilizing the services is not limited to a PC. For lo S set stora S e ™* 204 ™ e ™ lue of counter * 

example, a workstation, a server, an Automatic Teller to **° when the lo S ^ m ^ lo S set stora S e umt 204 15 

Machine (ATM) and so forth may also be used, deleted. 

FIG. 3 shows a configuration of the encapsulated soft- When the lo S * generated by the log generation unit 201, 

ware. The content of the capsule 300 consists of a header 45 a decrv P tl0n ke y generation unit 205 generates the decryp- 

310 and the encrypted software 320. The header 310 tion ke y based on the secret information data in the IC card 

includes a capsule ID 311 for identifying the capsule, charge 200 and the decryption key generation data 313 in the 

imposing information 312 used for calculating the charge for ca P sule 300 md forwards it to the PC 110. 

using and decryption key generation data 313 for generating On receiving a log set outputting request from the PC 110, 

the decryption key for the software. Software created by a 50 a log management unit 206 outputs the log set stored in the 

provider is encapsulated by the history management center log set storage unit 204 to the PC 110. At this time, a value 

or similar facilities. of a log set serial number counter 206a is attached to the 

FIG. 4 shows a hardware configuration of the IC card. The output log set. The log set serial number counter 206a stores 

IC card 200 is a computer system including a CPU 210. the serial number of the log set. Every time the log set is 

Other elements are connected to the CPU 210 through an 55 deleted, the log set serial number counter 206a increments 

internal system bus. A Random Access Memory (RAM) 220 its value by one. Whether the deletion of the log set is 

temporarily stores data to be processed by the CPU 210. A possible is managed based on a log set outputting status 

Read Only Memory (ROM) 230 stores a program that makes 206fc * when to log set outputting status 206b is "FALSE", 

the CPU 210 execute functions necessary to the IC card 200. the log set cannot be deleted. When the log set outputting 

An input/output terminal device (I/O) 240 performs data 60 status 2066 is "TRUE", it is possible to delete the log set. 

communication with the reader/writer 140 in accordance An operation controlling unit 207 controls activating and 

with a predetermined standard. A Programmable Read Only suspending of the basic functions of the IC card 200. More 

Memory (PROM) 250 stores secret information necessary specifically, when the current time exceeds the range of a 

for generating the decryption key from the decryption key term of use 207a or a value of a subtraction counter for the 

generation data 313 that has been encrypted, and so forth. 65 logs that can be generated 207 fc is zero, the functions of the 

The PROM 250 can be replaced with another storage device IC card 200 are suspended. The suspended functions are 

as long as the data can be overwritten and the data can be activated again in accordance with an instruction of a use 
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extension data authentication unit 208. The term of the use 130 is described as follows. The plural logs in the log set 

of the IC card 200 is set in the term of use 207a. In the storage unit 204 are concatenated in order of generation and 

subtraction counter for the logs that can be generated 207fc, stored as a log set in the nonvolatile memory (PROM 250) 

a limit of the number of times of use of the capsule before in the IC card 200. However, it is impossible to store a Large 

the forwarding of the log set to the history management 5 amount of log data in the IC card 200 because the memory 

center 130 is set as an initial value. Every time the log is capacity of the IC card 200 is not very large. Therefore, the 

generated by the log generation unit 201, a decrement of the storable number of logs 201a is set in the IC card 200 in 

value of the subtraction counter 207b is performed by one. advance. When the value of the log counter 204a reaches the 

The use extension data authentication unit 208 receives value of the storable number of the logs 201a, the log 

the use extension data from the PC 110 and authenticates it. io generation unit 201 cannot generate a new log and the 

If the authentication is succeeded, the use extension data decryption key generation unit 205 does not output a decryp- 

authentication unit 208 updates the values of the term of use tion key. Accordingly, it is impossible to execute the soft- 

207a and the subtraction counter for the logs that can be ware. 

generated 207fc by utilizing the use extension data. In this condition, the user operates the PC 110 so that the 

The encrypted software in the capsule 300 is executed 25 PC 110 makes a log set outputting request to the IC card 200. 

using the IC card having the above-described functions as On receiving the log set outputting request, the IC card 200 

follows. attaches its signature to a Log set and outputs the log set with 

The user connects the IC card 200 to the reader/writer 140 thc signature. The output of the log is also available before 

and makes the PC 110 activate the capsule 300. ^ value of ^ lo S ccmnter 204fl reaches ^ storable 

FIG. 6 is a flow chart showing capsule execution starting 2 ° number of logs 201a. 

procedures. The processes shown in the left side of the FIG. 8 shows a configuration of a log set with a signature, 

dotted line are performed by the PC 110 and those shown in The l°g «t w ^h a signature 500 includes a user ID 501, a 

the right side of the dotted line are performed by the IC card log set generation time 502, a log set serial number 503, a 

200. signature value 504, a number of logs 511 and logs (to the 

SI: The PC 110 transmits the header 310 in the capsule number of n) 512. 

300 to the IC card 200. FIG. 9 shows a configuration of a plain text attached as a 

S2: After the IC card 200 receives the header 310, the log signature value 504 to the log set. The case of encryption of 

generation unit 201 generates a new log and transmits it to a P 1 /?^? 700 ^ a .^S?? ke ^ < se ? ct °* me IC 

the MD5 operation unit 203 and the log set storage unit 204. 30 card 200 15 now plained. The encryption method is not 

rn. * limited to a public-key cryptosystem. If the secret key can be 

S3: The MD5 operation unit 203 generates a new verrfi- 1 L r .1 v l- K * * a 

• 11 1 u_ securely shared by the history management center 130 and 

cation value based on the received log and the verincation . _ _ ' - ' . t 0 , , , 

, 1 , j ■ *• ■ 1 4. ■* the IC card 200, a symmetric cryptosystem may be used, 

value previously stored m the verification value storage unit ' J J r J J 

202 and updates the previous verification value in the The plain text 700 to be signed includes a user ID 701, a 

verification value storage unit 202. 35 log set generation time 702, a log set senal number 703, a 

P(l ™ , t . ^ A t 4 „ „ „ r 1 number of loss 704 and a verification value 705. The 

S4: The log set storage unit 204 concatenates a new log ° . , . , 

iu *k 1 i f a At *k,-c f™„ if tu* w eJ* verification value 705 is the same as that stored in the 

with the log set stored therein. At this tune, if the log set .„ A . t x ^i. T ^ j inn u 

outputting status 206b is "TRUE", tbe log management unit ^ n ^ iio ^ w st ° ra f * mt f ^ ™ ■ C ", 1 t 

206 changes it into "FALSE". me log set 5(W B output. lie phm text 700 mcludmg the« 

„_ A . „ . , ^ AJ< . 40 pieces of information is encrypted by the secret key of the 

S5: An increment of the value of the log counter 204a is IC card 20Q tQ obtain tfae gi re yalue m 

performed by one, A decrement of the value of the subtrac- «~ . „ * . . , * . 

tion counter for the logs that can be generated 2076 is ^ 10 I s a ^ chart showuig procedures of outputUng 

oerformed bv one g set m 0 e P rocesses snown in tne le« 

^■t- , '. i , w . , u side of the dotted line are performed by the PC 110 and those 

S6: The decryption key generaton unit 205 generates the 45 {q ^ ^ £ ^ Une ^ rfonned b , ne IC 

decryption key by utilizing the decryption key generation 
data 313 and secret information data and forwards it to the 

PC j^q Sll: The PC 110 makes a log set outputting request to the 

S7: On receiving the decryption key, the PC 110 decrypts - IC card 200 

the encrypted software with the decryption key to execute < n S12: In the IC card 200, the log management unit 206 

the software receives the log set outputting request and changes the log 

Thus, whenever the user executes the software in the set outputting status 2066 into "TOUE". Then the log set 

capsule, the using history is saved as a log in the IC card 200. ™ th a sl S nature 500 as shown in nG * 8 15 out P ut ' 

FIG. 7 shows a configuration of the log. The log 400 S13: ™ e PC 110 obtains the lo S ^ from & c IC card 200 * 

includes a capsule ID 401, a log generation time 402 and 55 sl4: ^ PC m determines whether the log set is 

charge imposing information 403. Since the log 400 is normally obtained. If the PC 110 normally obtained the log 

temporarily stored in the IC card 200, the small number of set, the process proceeds to the step S15. Otherwise, the 

bytes constituting each element is preferable. Here, it is process returns to the step Sll where the PC 110 makes the 

assumed that the system time is represented by four bytes log set outputting request to the IC card 200, and the 

corresponding to the Coordinated Universal Time (UTC). It 60 processes of the steps Sll through S15 are repeated, 

is unnecessary to include all UTC four bytes in the log S15: The PC 110 makes a log set deletion request to the 

generation time. For example, if a detailed value is not IC card 200. 

required, it may be sufficient to include the upper three bytes S16: In the IC card 200, the log set management unit 206 

in the log generation time. If only a relative value is receives the log set deletion request and determines whether 

required, the lower three bytes may be included. 6 5 the log set outputting status 206fc is "TRUE". If it is 

Then a method of collecting and verifying the log set "TRUE", the process proceeds to the step S17. Otherwise, 

saved in the IC card 200 by the history management center the process proceeds to the step S21. 
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S17: The log management unit 206 deletes the log set in For verification of the log set forwarded by each user is 

the log set storage unit 204. performed in the history management center, the center is 

S18: The log counter 204a resets its value to zero. required to have the user database as described below. 

S19: The log set serial number counter 206a performs an ¥ } G - 11 shows m exam P le of * user da ^ aba 1 se ma ^ ed bv 

increment of the log set serial number held therein by one. 5 ^ history management «nter. The user database 900 stores 

0 . rt ™ . . . J A history management data 910 for each user. The history 

S20; The log management unit 206 returns a status managemcn t data 910 includes a user ID 911, a last serial 

indicating normal end to the PC 110 and then the process is num5er 9n of a log set in the last veri fi C ation, a verification 

completed. value 913 of the log set corresponding to the serial number 

S21: If the log set outputting status 206b is "FALSE", the 1Q 912 and user-unique data 914 used for authentication or the 

log management unit 206 does not delete the log set and like. 

returns an error status to the PC 110. when the capsule becomes unavailable because the term 

If the IC card 200 is in a reset condition, the log set of use expires, or in an earlier arbitrary timing, the user 

outputting status 206b becomes "FALSE" considering the forwards all of the log sets output from the IC card 200 to 

case where an error is generated during the output of the log 15 the history management center 130. It is preferred that the 

set. user transmits the log sets output from the IC card 200 in 

In the log set output procedures, the output of the log set order of the log set serial numbers. This is unnecessary if the 

and the deletion of the log set are performed according to the history management center 130 can sort the log set serial 

respective instructions as described above. The reason of the numbers. However, the complete output log sets without 

separate instructions is related to the protocol format of the 2 o lacking are required. 

IC card 200 described as follows. With the data transmission FIG. 12 is a flow chart showing procedures of verification 

protocol T=0 and/or T«l (ISOAEC 7816-3) of the IC card of the log sets in the history management center. All pro- 

200, the IC card 200 outputs the data to an interface device cesses are executed by a computer of the history manage- 

(here, indicating the PC 110) and then changes its status to ment center 130. 

a reception waiting status. Therefore, it is impossible to 2 s S31: The log sets are received. 

execute the processes in the IC card 200. If the output and s32: The received log sets are sorted in order of the serial 

deletion of the log set is to be performed in accordance with numbers. In addition, corresponding history management 

a single command, a log set must be output after another log data 910 ^ obtained from the user database 900 based on the 

set is deleted. In the case where the output of the log set is user lD It ^ confirmed that the minimum value of the serial 

failed during the communication, the log set is lost. 30 numbers of ^ log ^ received this time succeeds to the log 

To the contrary, suppose that two commands, the log set se t serial number 912 of the user verified immediately 

output command and the log set deletion command, are before. Then the continuity of the serial numbers of the log 

merely prepared. If the user issues the log set deletion sets received this time is confirmed. If no log set is missed, 

command to the IC card before the output of the log set by the process proceeds to the step S33. Otherwise, the process 

mistake, the log set is lost. Therefore, in the present 35 proceeds to the step S35. 

invention, the IC card has the log set outputting status 206b. 533. continuity of the logs is verified by using the 

Only when the log set 203 is output, the log set outputting verification value 705 stored in the signature of the log set. 

status 206fc becomes "TRUE" and the log set can be deleted. If the verification is correctly performed, the process pro- 

If the software is activated after the output of the log set, a ceeds t0 the step 534 otherwise, the process proceeds to the 

new log is generated in the IC card 200 and the log set 40 step 535, ihe deta ii s 0 f the verification procedures are 

outputting status 2066 becomes "FALSE". Accordingly, the described later. 

log set cannot be deleted until the log set is output. s34; ^ use extension data is ^ sncd ^ forwarded to the 

The log set 500 output from the IC card 200 is temporarily pQ jjq 

stored in the PC 110. The history management center 130 s35 . ^ errof status fc retumed t0 lhe PC 110. 

collects the log set 500 stored in the PC 110 at predetermined 45 r tU u„« *u a A~ t ~ 

, „ & , . * . 1, * j 1 *t_ In this way, the user can obtain the use extension data, 

intervals. Based on the content of the collected logs, the / , . e . .„ L . 

history management center 130 collects the charges from the ^'i 3 ^ Procedures of verifying of the .verification 

users to distribute the charges to the author of the software. value * ]\ e f ? Uowm S P rocesses are exec * ed bv the com - 

For efficiently collecting the histories (logs), the term of use P uter of lhe hlstor y management center 130. 

207* and a number of logs that can be generated are set in 50 S331: ™ e lo S set 15 venfied - For the verification, plural 

the IC card 200 in advance. The term of use 207a represents J°S S 512 " lhrou g h f 12 " ***** signature value 504 in the 

the date when the validity of the card expires. After the term lo S 861 500 are If P lural lo S scts exist > the verification 

of use 207a, the use of the IC card 200 is suspended and the 15 performed m order of the serial numbers, 

capsule 300 cannot be utilized. To use the IC card 200 and At first, the legitimacy of the log set is verified, 

the capsule 300 again, it is necessary to transmit the log set 55 Specifically, the signature value 504 in the log set 500 is 

output so far to the history management center 130 and verified with the public key of the I C card 200 corresponding 

obtain the use extension data. The number of logs that can to the user ID 501. Thus the conformity between the user ID. 

be generated, namely, the number of times capable of using 501 ^ the log set 500 and the user ID 701 in the plain text 

the capsule 300 before transmitting the log set to the history 700 of the signature value is confirmed, 

management center 130 is set as an initial value of the 60 Then the first log 512a is concatenated with the preceding 

subtraction counter for the logs that can be generated 2076. verification value 913 and a new verification value is gen- 

When the value of the counter 207b becomes zero, the status erated in the same way as the IC card 200 generates the 

of the IC card 200 is changed to the suspended status. verification value. That is, a message digest is calculated for 

Therefore the capsule 300 cannot be used. To use the IC card the concatenated value using the one-way hash function 

200 and the capsule 300 again, the log set must be forwarded 65 MD5 to generate the new verification value 913a. 

to the history management center 130 to obtain the use Next the log 5126 is concatenated with the verification 

extension data. value 913a to generate a new verification value 913b. The 
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same operation is performed on the logs 512c through 512n. 
As a result, a verification value 913n that is a message digest 
for the concatenated value of the log 512/t and the verifi- 
cation value 913m is generated. 

S332: The verification values 705 and 913n are compared. 5 
If the values are consistent with each other, the process 
proceeds to the step S333. Otherwise, the process proceeds 
to the step S334. 

S333: If the next log set exists, the verification value is 
verified in the same way as the above procedures. If the next 10 
log set does not exist, that is, the verification of all log sets 
received by the user is completed, the last serial number 912 
of the preceding verification in the history management data 
of the user managed by the history management center is 
updated with the serial number of the last log set verified this 15 
time. In addition, the last verification value 913 of the 
preceding verification is updated with the verification value 
of the last log set verified this time. 

S334: An error status is returned to the user and the 
process is completed. 20 

In this way, the history management center 130 verifies 
the log set and issues the use extension data. 

FIG. 14 shows an example of a configuration of the use 
extension data. Specifically, the figure shows a plain text 800 
of the use extension data before the signature is attached. 25 
The plain text 800 includes a number of logs that can be 
generated 801, an effective term 802 and a verification value 
803, Here, the verification value 803 is the verification value 
of the log set verified at last. The history management center 
130 attaches a signature to the plain text 800 by using the 3Q 
secret key and forwards it as the use extension data to the 
user. 

The user inputs the received use extension data to the IC 
card 200. In the IC card 200, the use extension data 
authentication unit 208 verifies the signature of the use 
extension data with the public key registered in advance at 35 
the history management center 130. If the verification value 
803 in the use extension data and the verification value in the 
verification value storage unit 202 are consistent with each 
other, the term of use 207a of the IC card 200 is updated with 
the effective term 802 in the use extension data. In addition, 40 
the value of the subtraction counter for the logs that can be 
generated 2076 is updated with the number of logs that can 
be generated 801 described in the use extension data. If the 
IC card 200 is in the suspended status, the operation con- 
trolling unit 207 cancels the suspended status. 45 

In the above description, the case where the log set can be 
collected is taken as the example. However, though a part of 
the log set is destroyed from an accident, the verification of 
the log set except the destroyed part is possible according to 
the present invention because the log sets are managed based 50 
on the log serial numbers and signature of the IC card is 
attached to each log set. 

Second Embodiment 

In a second embodiment, the capsule 300 can be used ss 
during the period from the output of the log set to the 
reception of the use extension data. In the first embodiment, 
if the capsule 300 is executed between the transmission of 
the log set 500 to the history management center 130 and the 
reception of the use extension data, a new log is generated 
in the IC card 200 and the verification value is updated. 60 
Therefore^, the use extension data cannot be verified. To 
prevent this problem, it is considered that the use of the 
capsule is prohibited during the period from the transmission 
of the log set from the user to the history management center 
130 to the reception of the use extension data. However, 65 
even though the network is utilized, the capsule 300 is 
unavailable for some time. This causes inconvenience to the 



user. Accordingly, the second embodiment allows the cap- 
sule 300 to be used if the log can be stored in the IC card 
even after the user forwards the log set to the history 
management center 130. 

The second embodiment is the same as the first embodi- 
ment except the processing function of the use extension 
data authentication unit 208. Therefore, the second embodi- 
ment is described utilizing the reference numbers assigned 
to the elements of the first embodiment. 

FIG. 15 shows the process of authentication of the use 
extension data in the second embodiment. Suppose a case 
where the user forwards the log sets output so far to the 
history management center 130 and after that the user 
utilizes the capsule for the n times. As shown in the figure, 
logs to the number of n 204a through 204n are stored in the 
log set storage unit 204. With this condition, the user 
receives the use extension data 800 from the history man- 
agement center 130 and inputs it to the IC card 200. Then the 
following processes are executed. 

S41: In the IC card 200, the use extension data authen- 
tication unit 208 verifies the signature of the use extension 
data with the public key of the history management center 
130 to obtain a verification value 803 in the use extension 
data. The first log 204a in the log set storage unit 204 is then 
concatenated with the verification value 803 in the use 
extension data and a verification value 803a is generated in 
the same way as the MD5 operation unit 203 generates the 
verification value. Similarly, the new verification values are 
generated based on the logs 2046 though 204/1 in order and 
the generated verification values 803a through 803/n and 
finally a verification value 803n is generated. 

S42: The use extension data authentication unit 208 
compares the verification value 202a in the verification 
value storage unit 202 with the verification value 803/1. If the 
values are consistent with each other, the process proceeds 
to the step S43. Otherwise, the process proceeds to the step 
S44. 

S43: The use extension data authentication unit 208 
updates the term of use 207a of the IC card 200 with the 
effective term 802 in the use extension data. In addition, the 
value of the subtraction counter for the logs that can be 
generated 2076 is updated with the value obtained by 
subtracting the value of the log counter 204a (=n) from the 
number of logs that can be generated 801 in the use 
extension data. If the IC card 200 is in the suspended status, 
the operation controlling unit 207 cancels the suspended 
status. 

S44: If the verification values 202a and 803/1 are not 
consistent with each other, the use extension data authenti- 
cation unit 208 interrupts the process and returns an error 
status. 

In this embodiment, the verification value in the use 
extension data is verified in the IC card by the verifying of 
the verification value stored in the log set. However, the 
verification method is not limited thereto. It may be con- 
sidered that the verification value of the log set output last 
time is stored as a second verification value separate from 
the verification value stored in the verification value storage 
unit 202 and the verification value in the use extension data 
is compared with the second verification data to be verified. 

The functions of the IC card are realized by the CPU 
therein by executing a program stored in the ROM. The 
program can be stored in a storage medium readable by other 
computers. As such a storage medium, a magnetic storage 
device, a semiconductor memory or the like may be used. 
For the distribution in the market, the program can be stored 
in the portable storage medium such as a CD-ROM or a 
floppy diskette, or stored in the storage medium of the 
computer connected to the network and transferred to other 
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computers. For executing the program by the computer, the 
program is stored in the hard disk device or the like in the 
computer and then loaded into the main memory. 
What is claimed is: 

1. A verification data generating apparatus comprising: 5 
a verification value holding element that holds a verifi- 
cation value; 

a data generating element that upon a use of a software 
program generates one of a plurality of data bodies, 
each one of the plurality of data bodies being a log of 10 
the use of the software program; 

a verification value generating element that generates a 
new verification value based on both the verification 
value held in the verification value holding element and 
the one of the plurality of data bodies whenever the one 15 
of the plurality of data bodies is generated and updates 
the verification value held in the verification value 
holding element with the new verification value; 

a data storing element that stores a set of data bodies to 
form a history of the use of the software program, the 
set of data bodies being a list of the plurality of data 
bodies in order of generation; 

a verification data outputting element that generates a 
signature value by using the new verification value on 
receiving a verification data outputting request and 
outputs verification data including the set of data bodies 
and the signature value. 

2. The verification data generating apparatus as set forth 

in claim 1, further comprising: 30 
a data deletion element that deletes the plurality of data 

bodies from the data storing element in reply to a data 

deletion request; and 
a counter that counts a verification data serial number and 

performs an increment of the verification data serial 35 

number whenever the plurality of data bodies is deleted 

by the data deletion element, 
wherein the verification data outputting element outputs 

the verification data with a value of the counter at the 

time when the verification data outputting request is *o 

received. 

3. The verification data generating apparatus as set forth 
in claim 1, wherein the verification value generating element 
generates the new verification value by using a one-way 
function. 45 

4. The verification data generating apparatus as set forth 
in claim 1, further comprising: 

a data generating condition holding element that holds a 
condition for generating the plurality of data body; 

a function suspending element that suspends a function of 50 
the data generating element when the condition is 
unsatisfied; 

a use extension data authenticating element that authen- 
ticates use extension data when it is received; and 

a suspension canceling element that cancels the suspen- 
sion of the function when the use extension data is 
authenticated. 

5. The verification data generating apparatus as set forth 
in claim 4, wherein the use extension data authenticating 
element extracts a reference verification value from the 
received use extension data and authenticates the use exten- 
sion data if the reference verification value and the verifi- 
cation value held in the verification value holding element 
are consistent with each other. 

6. The verification data generating apparatus as set forth 
in claim 4, wherein the use extension data authenticating 
element extracts a reference verification value from the 
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received use extension data, selects one of the plurality of 
data bodies in the data storing element in order of being 
stored, generates a new verification value based on the 
selected data body and the reference verification value, 
separately selects one of the plurality of data bodies and 
generates a new verification value in sequence and authen- 
ticates the use extension data if the new verification value 
generated at last and the verification value held in the 
verification value holding element are consistent with each 
other. 

7. The verification data generating apparatus as set forth 
in claim 4, further comprising: 

a second verification value holding element that holds the 
value held in the verification value holding element as 
a second verification value at the time when the veri- 
fication data outputting element outputs the verification 
data, 

wherein the use extension data authentication element 
extracts a reference verification value from the received 
use extension data and authenticates the use extension 
data if the reference verification value and the second 
verification value is consistent with each other. 

8. A data verification apparatus comprising: 

a verification value holding element that holds a verifi- 
cation value; 

a reference verification value generating element that 
receives verification data that is a set of data bodies that 
forms a history of use of a software program and 
includes a list of a plurality of data bodies in order of 
their generation and a signature value attached thereto 
and generates a reference verification value based on 
the verification value and the set of data bodies; 

an authenticating element that collates a verification value 
obtained from the signature value with the reference 
verification value and authenticates the verification 
data if the signature value and the reference verification 
value are consistent with each other; and 

a verification value updating element that updates the 
verification value with the reference verification value 
if the verification value obtained from the signature 
value and the reference verification value are consistent 
with each other. 

9. A storage medium readable by a computer, the storage 
medium storing a program of instructions executable by the 
computer to perform a function for generating verification 
data, the function comprising the steps of: 

holding a verification value; 

generating one of a plurality of data bodies upon a use of 
a software program, each one of the plurality of data 
bodies being a log of the use of the software program; 

generating a new verification value based on both the 
verification value and the one of the plurality of data 
bodies whenever the one of the plurality of data bodies 
is generated and updating the verification value with 
the new verification value; 

storing a set of data bodies to form a history of the use of 
the software program, the set of data bodies being a list 
of each of the plurality of data bodies in order of 
generation; and 

generating a signature value by using the verification 
value on receiving a verification data outputting request 
and outputting verification data including the set of data 
bodies and the signature value. 
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